I tried to see for the answer in many websites. All are theoretically explained but it didn't help me much as I didn't understand. I'm looking for a sample code or more practical solution and also how to test for LFI. Thank you.
Asked
Active
Viewed 1,303 times
0
-
Why are you using WebForms in 2021? It's been obsolete for 13 years now. – Dai Aug 20 '21 at 01:42
-
I understand, but now it's already built and undergoing penetration test to go live. I need to solve in this environment now. Can you suggest anything please? – Sachin Reddy Aug 20 '21 at 02:07
-
You haven't posted enough details in your question to explain what the situation is. I've already explained that (normally) ASP.NET **cannot** have local-file-inclusion vulnerabilities because ASP.NET does not have an `include` feature that works like PHP's or SSI's does. Your application may have directory-traversal vulnerabilities or other vulnerabilities stemming from reckless handling of user-uploaded data and file-system paths, for example - but those are different classes of attack-vectors. You haven't given us details to work-with in your question. – Dai Aug 20 '21 at 02:15
-
I have attached Pentest report as well. And I don't understand why LFI is in only 2 parameters. Please let me know what information is required to solve this issue. Thanks. – Sachin Reddy Aug 20 '21 at 02:28
-
You are right, but there should be somewhere to start learning. I'm new to this security part. I would be grateful if you can help me. – Sachin Reddy Aug 20 '21 at 02:46
-
The vulnerability is a bit questionable: why should a password that looks like a Windows path have to throw an error? As long as it is treated as "plain text" (and for a password: hashed) and not as part of a file path, there shouldn't be an issue – Hans Kesting Aug 20 '21 at 08:33
-
@HansKesting This is one of those “a little knowledge is dangerous” situations. The OP is aware of a technical phrase and believes it’s an issue for them, but apparently lacks the understanding necessary to realise that it doesn’t affect them. – Dai Sep 18 '21 at 21:19
-
Actually I'm also having the same question in my mind @HansKesting. I have upload file parameters as well in the same page. But it is showing vulnerability in others. My confusion arises due to this. – Sachin Reddy Sep 21 '21 at 03:10
1 Answers
1
You don't need to: ASP.NET WebForms - in fact the entire stock ASP.NET and ASP.NET Core system does not support SSI or PHP-style "includes".
Dai
- 141,631
- 28
- 261
- 374
-
Yeah, thank you for information. Right now what I need is to resolve in ASP.NET Web Forms as it cannot immediately upgrade to newer technologies. – Sachin Reddy Sep 18 '21 at 10:34
-
-
Sorry, my bad @Dai. I understood now. But may be I need to find the reason why it is showing vulnerability as attached my report. – Sachin Reddy Sep 21 '21 at 03:05